Skip to content

fix: insightengine/tools/search in search.py#674

Open
orbisai0security wants to merge 1 commit into
666ghj:mainfrom
orbisai0security:fix-sql-injection-hot-tables-whitelist
Open

fix: insightengine/tools/search in search.py#674
orbisai0security wants to merge 1 commit into
666ghj:mainfrom
orbisai0security:fix-sql-injection-hot-tables-whitelist

Conversation

@orbisai0security

Copy link
Copy Markdown

Summary

Fix critical severity security issue in InsightEngine/tools/search.py.

Vulnerability

Field Value
ID V-001
Severity CRITICAL
Scanner multi_agent_ai
Rule V-001
File InsightEngine/tools/search.py:170

Description: InsightEngine/tools/search.py:170 constructs a raw SQL query string using Python string format interpolation. Variables including {title}, {author}, {url}, {formula}, {tbl}, and {time_filter} are embedded directly into the SQL string without parameterized binding. These variables are derived from platform configuration and potentially user-influenced keyword or parameter values. The {tbl} variable is particularly dangerous as it allows table name injection, enabling access to arbitrary database tables.

Changes

  • InsightEngine/tools/search.py

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

Automated security fix generated by Orbis Security AI
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant